From c08296adff58517934b3ea3e4a6581b55fbc2d0c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 10 Jan 2012 22:39:26 -0500 Subject: [PATCH] Configure s4u2proxy during installation. This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098 --- freeipa.spec.in | 5 ++++- install/conf/ipa.conf | 4 +++- install/share/bootstrap-template.ldif | 22 ++++++++++++++++++++++ install/updates/30-s4u2proxy.update | 18 ++++++++++++++++++ install/updates/Makefile.am | 1 + ipaserver/install/httpinstance.py | 3 +++ 6 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 install/updates/30-s4u2proxy.update diff --git a/freeipa.spec.in b/freeipa.spec.in index 46aefe1f5..05e1a1a2d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -103,7 +103,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi -Requires: mod_auth_kerb +Requires: mod_auth_kerb >= 5.4-9 Requires: mod_nss >= 1.0.8-10 Requires: python-ldap Requires: python-krbV @@ -621,6 +621,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Wed Jan 11 2012 Rob Crittenden - 2.99.0-14 +- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support + * Fri Dec 9 2011 Alexander Bokovoy - 2.99.0-13 - Fix dependency for samba4-devel package diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 72e3e4c01..f256dab4d 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 2 - DO NOT REMOVE THIS LINE +# VERSION 3 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so @@ -42,6 +42,7 @@ WSGIScriptReloading Off SetHandler None +KrbConstrainedDelegationLock ipa # Protect /ipa with Kerberos @@ -53,6 +54,7 @@ WSGIScriptReloading Off KrbAuthRealms $REALM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on + KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 4f6bc3c97..4fba730b1 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -161,6 +161,28 @@ objectClass: nsContainer objectClass: top cn: posix-ids +dn: cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: ipaKrb5DelegationACL +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-http-delegation +memberPrincipal: HTTP/$HOST@$REALM +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-ldap-delegation-targets +memberPrincipal: ldap/$HOST@$REALM + dn: uid=admin,cn=users,cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/install/updates/30-s4u2proxy.update b/install/updates/30-s4u2proxy.update new file mode 100644 index 000000000..be1d557e7 --- /dev/null +++ b/install/updates/30-s4u2proxy.update @@ -0,0 +1,18 @@ +dn: cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: ipaKrb5DelegationACL +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-http-delegation +default: memberPrincipal: HTTP/$HOST@$REALM +default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-ldap-delegation-targets +default: memberPrincipal: ldap/$HOST@$REALM diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index cc7117614..20a1ce3a9 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -18,6 +18,7 @@ app_DATA = \ 20-user_private_groups.update \ 20-winsync_index.update \ 21-replicas_container.update \ + 30-s4u2proxy.update \ 40-delegation.update \ 40-dns.update \ 40-automember.update \ diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 79b617289..7fa19c108 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -136,6 +136,9 @@ class HTTPInstance(service.Service): pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) + # Clean up existing ccache + installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) + def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)